Method for computer-supported error analysis of sensors and/or actuators in a technical system

ABSTRACT

Disclosed is a method wherein a state description of the technical system for an error occurrence and a state description of the technical system for error-free operation is determined in order to detect sensor and/or actor errors. The attainable states for both descriptions are preferably determined by model checking. A varying number of states of both descriptions is formed, said states being checked as to whether they comply with predeterminable conditions (e.g. safety requirements).

BACKGROUND OF THE INVENTION

It is of enormous significance for complex technical systems orinstallations to be able to make statements about the dependability ofthe respective system or, respectively, of the installation.

It is known that statements about the dependability of an arbitrarytechnical system or, respectively, of an installation can be producedmanually, for example by what is referred to as an error tree analysis(see DIN 25424, Part 1: Fehlerbaumanalyse: Methode und Bildzeichen; Part2: Handrechenverfahren zur Auswertung eines Fehlerebaums) orsimulatively or, respectively, analytically on the basis of modelsspecifically produced for this purpose (see J. Dekleer and B. C.Williams, Diagnosing Multiple Faults, Elsevier Science Publishers,Artificial Intelligence, Vol. 32, 1987, pp. 97-130). For the sake of asimple presentation, only technical systems shall be mentioned below.However, technical installations are also covered in the term oftechnical system within the scope of this document. A complete manualdetermination of the influences of a technical malfunction of sensorsand/or actuators is practically not possible in a complex technicalsystem due to the linked dependencies and the different forms ofrealizing the control, the control system and the sensor mechanismsand/or actuator mechanisms. The analytical techniques disclosed in theDekleer et al. reference require the production of a specific model, forwhich it can generally not be guaranteed that it correctly describes thesystem respectively under consideration. Of course, the quality of thestatements is there substantially reduced. Further, a considerabledisadvantage of the approaches disclosed in the Dekleer et al. referenceis that the production of the model requires additional developingoutlay and time. As a result thereof, a short-term investigation ofalternative realizations of a technical system, which is also referredto as rapid prototyping, is prevented.

It is known to describe a technical system in a status-finitedescription, for example as automat. A status-finite description usuallycomprises statuses in which actions are implemented when the technicalsystem is in the respective status. Further, the status-finitedescription usually comprises status transitions that describe possiblechanges of the technical system between statuses. The technical systemcan also implement actions in status transitions. It is known in thiscontext in a controlled, technical system to fashion the status-finitedescription such that the behavior of the control of the technicalsystem and the behavior of the controlled installation is presented asstatus automat. It is also not assured given these approaches that allpossible influences of errors on the system are correctly identified.

Possibilities for textual description of a status automat that areprocessed with a computer are, for example, interlocking specificationlanguage (ISL) or control specification language (CSL), which aredescribed in K. Nökel, K. Winkelmann, Controller Synthesis andVerification: A Case Study, in: C. Leverentz, T. Lindner, FormalDevelopment of Reactive Systems, Lecture Notes in Computer Science (No.891), Springer 1995, pp. 55-74.

It is also known to employ a status-finite description for generatingcontrols with a computer and for the computer-supported documentation ofproperties of an error-free technical system.

One possibility for computer-supported documentation of properties of anerror-free technical system employs the principle of what is referred toas model checking, this being described in J. Burch et al, SymbolicModel Checking for Sequential Circuit Verification, IEEE Trans. OnComputer-Aided Design of Integrated Circuits and Systems, Vol. 13, No.4, pp. 401-424, April 1994.

It is also known for status-finite description of a system to employwhat is referred to as a finite state machine format (FSM Format) whosefundamentals are described in R. Bryant, Symbolic Boolean Manipulationwith Ordered Binary-Decision Diagrams, ACM Computing Survey, Vol. 24,No. 3, pp. 293-318, September 1992. Binary decision diagrams (BDD) havethe advantage of also compactly representing very extensive statussystems in many instances.

SUMMARY OF THE INVENTION

The invention is thus based on the problem of specifying a method forcomputer-supported error analysis of sensors and/or actuators in atechnical system with which the correctness of the error analysis isassured.

The method according to the present invention is implemented with acomputer and comprises the following steps:

-   a) a status-finite description of the technical system is determined    in case of error for an error of a sensor and/or of an actuator of    the system;-   b) a first set of achievable conditions is determined for the    technical system;-   c) a second set of achievable conditions is determined for the    error-effected technical system;-   d) a difference quantity is formed from the first set and from the    second set;-   e) result statuses are determined from the difference quantity,    these result statuses satisfying prescribable conditions.

The invention can be graphically described in that a model checking isimplemented both for the error-free technical system as well as for asystem effected with an error of a sensor and/or actuator. Due to themodel checking, all achievable conditions of the error-free or,respectively, of the error-effected system are identified. A differencequantity of statuses is formed from these statuses. The statuses of thedifference quantity that meet a prescribable condition, for example asafety demand made of the system, are identified for the differencequantity. These statuses represent a “dangerous” condition with respectto the prescribable condition for the error respectively beinginvestigated.

The method assures that all “dangerous” statuses are identified for allconditions prescribable in view of the respectively investigated error,i.e. for the faulty sensor and/or actuator.

It is advantageous to implement the method for all possible errors ofsensors and/or actuators that the technical system comprises. In thisway, it is assured for the entire system that all “dangerous” statusesin view of prescribable conditions are identified.

It is also advantageous to allocate failure probabilities to the sensorsand/or actuators and to implement the error analysis taking the failureprobabilities into consideration. In this way, it is possible withoutgreater calculating outlay in the implementation of the method with acomputer to indicate for the identified statuses what the probability isthat this status will in fact be reached, a risk estimate for therespectively analyzed system thus becoming extremely simple andsurveyable.

For further savings in calculating time in the implementation of themethod with a computer, it is also advantageous to realize thestatus-finite description with a finite automat in the form of a binarydecision diagram (BDD).

The method, due to the above-described properties, can be veryadvantageously employed in the following fields:

-   -   given rapid prototyping of the technical system;    -   within the framework of the error diagnosis of the technical        system;    -   for generating critical test cases for a commissioning and for a        system test of the technical system;    -   for preventative maintenance of the technical system.

BRIEF DESCRIPTION OF THE DRAWINGS

The features of the present invention which are believed to be novel,are set forth with particularity in the appended claims. The invention,together with further objects and advantages, may best be understood byreference to the following description taken in conjunction with theaccompanying drawings, in the several Figures of which like referencenumerals identify like elements, and in which:

FIG. 1 is a sketch-like presentation of the method;

FIG. 2 is a sketch of a status-finite description of a control and ofthe process of a technical system controlled by the control, whereby theerror-free control and the process are each respectively described as aseparate status automat;

FIG. 3 is a sketch of the status-finite description of FIG. 1 with asymbolically illustrated, general sensor error model and actuator errormodel;

FIG. 4 is a sketch of the status-finite description from FIG. 1 with asymbolically presented, non-persistent error of a sensor;

FIG. 5 is a sketch of the status-finite description from FIG. 1 with theerror from FIG. 4, whereby the control was modified as replacement ofthe error model;

FIG. 6 is a sketch of a plan view of the exemplary embodiment, alift-off turn table of a manufacturing cell;

FIG. 7 is a sketch in which the provided movement of the lift-offturntable from FIG. 6 is shown;

FIG. 8 is a sketch of the status space of the error-free lift-offturntables;

FIG. 9 is a sketch of the status space of an error-effected lift-offturntable.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

A suitable status-finite description represents the behavior of thecontrol and the behavior of the control system as status automat. Thepresentation can ensue in various ways, for example in textual form uponemployment of ISL or CSL.

FIG. 2 shows a simple technical system with an error-free control FS,statuses y1, y2, y3 and status transitions x1, x2 as status automat. Thecontrol S describes actuators as statuses. A controlled process Pcontains the description of sensors x1, x2, x3 as statuses x1, x2, x3and status transitions y1, y2, y3.

The control S of the system reacts to measured values xj (x1, x2, x3) ofsensors X. Status transitions are therefore thus triggered in thecontrol S by sensor data. The statuses are characterized by values yi(y1, y2, y3) of status variables Y that are allocated to actuators. Thesetting of actuators Y in turn triggers status transitions in thecontrolled system, i.e. in the process P, which is expressed in themodification of the values of the sensors X.

The status automats of the control S and of the process P implementsstatus transitions in alternation. The outputs of the one automat arethe inputs of the respectively other automat.

The interface between control and controlled environment can beautomatically recognized in a corresponding description. Further, it ispossible—as described in detail later—to derive the value set from sucha description that the individual values (statuses or, respectively,status transitions) can assume.

FIG. 3 symbolically shows an error modeling for error-effected sensorsin a sensor error model SF and for error-effected actuators in anactuator error model AF.

Technically, thus, sensors X and actuators Y are connected to theinterface between control S and controlled process P. A malfunction of asensor X leads to the fact that a different, error-effected value x′j isdelivered to the control S, i.e. supplied to the control S, instead ofthe correct measured values xj. A malfunction of an actuator isexpressed in the setting of an incorrect value y′i instead of the valueyi. Which sensors X and actuators Y are present and what value set is tobe taken into consideration here can be derived from the status-finitedescription.

This allows the automated, systematic analysis of the effects of sensorand actuator errors on the behavior of a controlled system. Sensor errormodels SF or, respectively, actuator error models AF that describe therespective error of the sensor x and/or actuator y are inserted betweenthe controlled process P and the control S. Exemplary models forintermittent (non-persistent), individual errors of the sensor mechanismand actuator mechanism are recited in FIG. 3.

A non-persistent, individual error of a sensor x is described by thefollowing rule:

A non-persistent, individual actuator y is described by the followingrule:

FIG. 4 shows the general sensor error model SF from FIG. 3 for the casethat a non-persistent, individual error given a first sensor value x1 ispresent such that the first sensor value x1 either exhibits the correct,first sensor value x1 or, due to a sensor error, exhibits a secondsensor value x2 that would be an incorrect value in this case. Thesecond sensor value x2 and a third sensor value x3 are correctlymeasured.

An important question that must be answered is whether the combinationof control S and control process P can proceed into critical conditionsdue to the sensor error that would be reliably precluded in theerror-free case.

One possibility of producing this proof for the error-free case isoffered by what is referred to as model checking, this being describedin J. Burch et al, Symbolic Model Checking for Sequential CircuitVerification, IEEE Trans. On Computer-Aided Design of IntegratedCircuits and Systems, Vol. 13, No. 4, pp. 401-424, April 1994. Thismethod allows the set of achievable statuses to be identified and toexamine whether statuses that, for example, infringe safety conditionsare contained.

In order to be able to apply this technique for error analysis ofsensors X and/or actuators Y contained in the system, the sensor errormodels SF or, respectively, actuator error model AF are described hereby a modified control logic (see FIG. 5).

The combination of control S and controlled process P shown in

FIG. 5 behaves identically to the model shown in FIG. 4 in the errorcase given the first sensor values x1. However, the insertion of anexplicit error model between control S and controlled process P can beforegone here. S Due to the assumed, intermittent error, statustransitions indicated with x1 are inserted in the control parallel tothe status transitions marked with x2.

The following situation is thus described: the second sensor value x2and the third sensor value x3 are correctly measured. The controlledbehavior is therefore unmodified for these values. Since an intermittenterror is assumed, the first sensor value x1 can also be correctlyreported, so that these status transitions are maintained. If apersistent exchange of the first sensor value x1 with the second sensorvalue x2 were assumed, then edges labeled with x1 would have to beerased. All status transitions that are marked with x2 can now also berun at the value x1. A corresponding edge is therefore supplemented inthe control S. The control S reacts to the value x2 but at the locationx1 of the process.

This modification of the control logic for describing errors can beformally automatically implemented by the computer for all errors thatcan be considered.

The questions about obtainability of critical conditions (for examplesafety, seizures) for the arising models can likewise be answered byapplying model checking. An automatic determination of the statusesachievable in the error-effected system thus preferably ensues uponapplication of model checking.

Subsequently, a respected difference set of the statuses achievable inthe respective error case and the statuses achievable in the error-freecase is determined.

Those statuses that at least meet a condition prescribable by the user(for example, violation of a safety demand) or, respectively, thatviolate this condition are determined dependent on the application.

FIG. 1 shows this procedure again symbolically in a block circuitdiagram. At least one sensor error model SF and/or at least one actuatorerror model AF is produced for the control FS and the controlled processP, a formal analysis of the status-finite description for theerror-effected system ensuing, preferably by model checking, takingthese into consideration.

For the result of the comparison to the error-free system and thedetermination “dangerous” conditions, the cause-and-effect relationshipsbetween sensor errors or, respectively actuator errors and the possibleoccurrence of the effect under consideration are determined andpreferably portrayed in a cause-and-effect graph.

FIG. 6 shows a technical system in the form of a lift-off turntable HDof a fabrication cell FZ with which the method is to be presented in yetgreater detail.

The fabrication cell FZ comprises a delivering conveyor belt FB at whoseend a lift-off turntable picks up workpieces and supplies them to arobot R. The robot R places the workpiece into a press PR and placesit—after being shaped—onto an outgoing belt WB. The fabrication cell FZcontains corresponding sensors X and actuators Y.

The lift-off turntable HD can move in vertical (vmov) and horizontal(hmov) direction with the assistance of two drives (not shown). Eachdrive can be driven in negative (minus) or positive (plus) direction orcan stand still (stop).

The lift-off turntable HD has sensors X for vertical (vpos) andhorizontal (hpos) position acquisition that can distinguish thepositions x0 (bottom), x1 (middle) and x2 (top). In addition, a furthersensor (part_on_table) (not shown) acquires the presence of a workpieceWS on the lift-off turntable HD.

The initial position AP of the lift-off turntable HD is at the lower,left stop (x0, x0) without workpiece WS (see FIG. 7). When a workpieceWS falls from the delivering conveyor belt FB onto the lift-offturntable HD, then the target position ZP of the lift-off turntable HDis at the upper right (x2, x2).

The lift-off turntable HD dare never assume a different horizontalposition then x0 (left stop) in combination with the vertical positionx0 (bottom) since it would otherwise collide with the deliveringconveyor belt FB (forbidden area VB).

A description of the status automat of the control FS of the lift-offturntable HD in CSL is recited below:

CSLxtClasses table Types bool =[no, yes]; posType =[x0, x1, x2]; movType=[stop, plus, minus]; Class pcd StateVariables input  vpos : posTypedefault x0; input hpos : posType default x0; input part_on_table : bool default no; output vmov: movType default stop; output hmov: movTypedefault stop; Transitions start_up := (part_on_table = yes / \ vpos =x0) ==> (** vmov = plus); rotate := (part_on_table = yes / \ vpos = x1 /\ hpos < x2) ==> (** hmov = plus); stophigh := (part_on_table = yes / \vpos = x2) ==> (** vmov = stop); stop 45 := (part_on_table = yes / \hpos = x2) ==> (** hmov = stop); rotate_back :=(part_on_table = no / \vpos = x2 / \ / \ hpos = x2) ==> (** hmov minus); start_down:=(part_on_table = no / \ hpos x0 / \ / \ vpos = x2) ==> (** hmov = stop/ \ / \ ** vmov = minus); stoplow :=(part_on_table = no / \ vpos = x0)==> (** vmov = stop); End /* Class pcd_control*/ End table CSLInstancesi table : pcd; End i

The control logic of the lift-off turntable HD determines the abovedescription in CSL. The head of the CSL description declares data types(value ranges) of the status variables. The subsequent declaration ofthe status variables uses these type declarations and additionallydetermines starting values. On the basis of the declaration of statusvariables as input or output, a determination can be made as to whetherit is a matter of a status variable that represents the processcondition or whether it encodes the statuses control FS. Input variablesof the control FS encode process conditions. Output variables of thecontrol FS encode control conditions.

The line “input vpos: posType default x0” declares a status variablehaving the name “vpos” that can assume the values x0, x1 and x2 (thevalues of the type posType) and whose initial values is x0.

The transitions serve for describing the control logic. Transitions aretriggered by value combinations of the input variables of the control FSthat represent process conditions—i.e. the position of the lift-offturntable HD in the vertical (vpos) and the horizontal (hpos) motiondirection and the presence of a workpiece WS on the lift-off turntableHD (part_on_table). The values of the output variables vmov and hmov aremodified by the transitions that use the control logic. They describethe statuses of the control. Their values are modified only by statustransitions of the control, i.e. by the logic impressed on the control.

These information can be automatically taken from the CSL description. Adistinction can be made between inputs of the control (inputs, sensordata) and outputs of the control (outputs: actuator commands). Moreover,the respectively possible values can be recognized (type declarations).

Even after the translation of the CSL description in what is referred toas the Finite State Machine format (FSM format), the information areessentially preserved. This FSM format represents the status-finitedescription in the form of what are referred to as binary decisiondiagrams (BDD) that have the advantage of also representing veryextensive status systems in compact form in many instances R. Bryant,Symbolic Boolean Manipulation with Ordered Binary-Decision Diagrams, ACMComputing Survey, Vol. 24, No. 3, pp. 293-318, September 1992 presentsan overview of binary decision diagrams (BDD).

A process model for describing the reactions of the controlled processis required in addition to the control logic described in CSL in order,for example, to enable statements about the set of achievable statuses.This can ensue in the framework of model checking with the assistance ofwhat are referred to as assumptions. Since model checking is usuallyalso employed in the framework of formal verification of the error-freecontrol, these assumptions are usually already present and can bere-employed in the framework of this analysis.

The assumptions describe how the positions of the lift-off turntable HDand the presence of a workpiece WS can vary dependent on the motiondirection and the current position. The below assumption

-   (‘table.vmov’=stop/\‘table.vpos’=x0)/\-   x(‘table.vpos’=x0) presents that the vertical position is x0 in the    next status when the vertical motion has stopped and the current    vertical position down is (x0). This assumption is based on the    situation that the positions do not change when no motion occurs.

Possible assumptions, i.e. conditions, for the above-described controlFS are described below:

-   process:=g (((‘table.vmov’=stop/\‘table.vpos’=x0)/\-   /\x(‘table.vpos’=x0)\/(‘table.vmov’=stop/\-   /\‘table.vpos’=x1)/\x(‘table.vpos’=x1)-   \/(‘table.vmov’=stop/\‘table.vpos’=x2)/\-   /\x(‘table.vpos’=x2)-   \/(‘table.vmov’=plus/\‘table.vpos’=x0)/\-   /\x(‘table.vpos’=x0\/‘table.vpos’=x1)\/-   \/(‘table.vmov’=plus/\‘table.vpos’=x1)/\-   /\x(‘table.vpos’=x1/\‘table.vpos’=x2)\/-   \/(‘table.vmov’=plus/\‘table.vpos’=x2)/\-   /\x(‘table.vpos’=x2)\\(‘table.vmov’=minus/\-   /\‘table.vpos’=x0)/\x(‘table.vpos’=x0)\/-   \/(‘table.vmov’=minus/\‘table.vpos’=x1)/\-   /\x(‘table.vpos’=x0\/‘table.vpos’=x1)\/-   \/(‘table.vmov’=minus/\‘table.vpos’=x2)/\-   /\x(‘table.vpos’=x1 \/‘table.vpos’=x2))/\-   /\((‘table.hmov’=stop/\‘table.hpos’=x0)/\-   /\x(‘table.hpos’=x0)\/(‘table.hmov’=stop/\-   /\‘table.hpos’=x1)/\x(‘table.hpos’=x1)\/-   \/(‘table.hmov’=stop/\‘table.hpos’=x2)/\-   /\x(‘table.hpos’=x2)\/(‘table.hmov’=plus/\-   /\‘table.hpos’=x0)/\x(‘table.hpos’=x0\/-   \/‘table.hpos’=x1)\/(‘table.hmov’=plus-   /\‘table.hpos’=x1)/\x(‘table.hpos’=x1\/-   \/‘table.hpos’=x2)\/(‘table.hmov’=plus/\-   /\‘table.hpos’=x2)/\x(‘table.hpos’=x2)\/-   \/(‘table.hmov’=minus/\‘table.hpos’=x0)/\-   /\x(‘table.hpos’=x0)\/(‘table.hmov’=minus/\-   /\‘table.hpos’=x1)/\x(‘table.hpos’=x0\/-   \/‘table.hpos’=x1)\/(‘table.hmov’=minus/\-   /\‘table.hpos’=x2)/\x(‘table.hpos’=x1\/-   \/‘table.hpos’=x2))/\((‘table.vpos’=x0/\-   /\‘table.hpos’=x0/\‘table.vmov’=stop/\-   /\‘table.hmov’=stop/\-   /\‘table.part_on_table’=no/\-   /\x(‘table.part_on_table’=yes))/\-   \/(‘table.vpos’=x2/\‘table.hpos’=x2/\-   /\‘table.vmov’=stop/\‘table.hmov’=stop/\-   /\‘table.part_on_table’=yes/\-   /\x(‘table.part_on_table’=no))\/-   \/(‘table.part_on_table’=yes/\-   /\x(‘table.part_on_table’=yes))\/-   \/(‘table.part_on_table’=no/\-   /\x(‘table.part_on_table’=no)))).

FIG. 8 shows a status space ZR of the lift-off turntable HD and themotion of the error-free lift-off turntable HD in the status space ZR,as derives after the implementation of the model checking on thestatus-finite description of the error-free control FS with theindicated assumptions.

The rows respectively show a value pair for the triad of the variables(vpos, hpos, part_on_table). A value pair for the dyad of the variables(vmov, hmov) with the respective, above-defined value sets isrespectively shown in the columns.

Shaded circles in the status space ZR mark “forbidden” or, respectively,“dangerous” conditions in view of the safety condition. Bold-facecircles in the status space ZR mark statuses that the lift-off turntableHD can assume according to the above description. These were determinedby the model checking. Status transitions in the status space ZR areindicated with arrows.

FIG. 9 shows the status space ZR of the lift-off table HD and themovement of the liftoff turntable HD in the status space ZR when thesensor “part_on_table” incorrectly reports a workpiece WS. The samedesignations are employed in FIG. 9 as in FIG. 8. It can be clearly seenthat statuses can occur for this error case that cannot be achieved inthe error-free system. These statuses are referenced VZ in FIG. 9.

Failure probabilities that respectively describe the probability for theoccurrence of an error at the sensor x or, respectively, actuator y areallocated to the individual sensors x and/or actuators y. By linkingcompound probabilites for the occurrence of errors of various sensorsand/or actuators and for the occurrence of various statuses, a verysimple risk estimate for the technical system can ensue on the basis ofthis procedure. Details for calculating dependent probabilities for theoccurrence of error may be found in DIN 25424, Part 1:Fehlerbaumanalyse: Methode und Bildzeichen; Part 2: Handrechenverfahrenzur Auswertung eines Fehlerebaums.

The error analysis thus ensues taking the failure probabilities intoconsideration.

The method is preferably implemented for all possible errors of theexisting sensors and/or actuators.

The invention is not limited to the particular details of the method andapparatus depicted and other modifications and applications arecontemplated. Certain other changes may be made in the above describedmethod and apparatus without departing from the true spirit and scope ofthe invention herein involved. It is intended, therefore, that thesubject matter in the above depiction shall be interpreted asillustrative and not in a limiting sense.

The following publications were cited in the framework of this document:

-   [1] DIN 25424, Part 1: Fehlerbaumanalyse: Methode und Bildzeichen;    Part 2: Handrechenverfahren zur Auswertung eines Fehlerebaums-   [2] J. Dekleer und B. C. Williams, Diagnosing Multiple Faults,    Elsevier Science Publishers, Artificial Intelligence, Vol. 32, 1987,    pp. 97-130-   [3] K. Nökel, K. Winkelmann, Controller Synthesis and Verification:    A Case Study, in: C. Leverentz, T. Lindner, Formal Development of    Reactive Systems, Lecture Notes in Computer Science (No. 891),    Springer 1995, pp. 55-74-   [4] J. Burch et al, Symbolic Model Checking for Sequential Circuit    Verification, IEEE Trans. On Computer-Aided Design of Integrated    Circuits and Systems, Vol. 13, No. 4, pp. 401-424, April 1994.-   [5] R. Bryant, Symbolic Boolean Manipulation with Ordered    Binary-Decision Diagrams, ACM Computing Survey, Vol. 24, No. 3, pp.    293-318, September 1992.

1. A method for computer-supported error analysis of at least one of sensors and actuators in a technical system, the error analysis being in a form of a finite state description that exhibits states of technical system, the method using a computer, comprising: a) determining a finite state description of the technical system for an error case of an error of at least one of a sensor and an actuator in the technical system; b) determining a first set of achievable states for the technical system without errors using the finite state description; c) determining a second set of achievable states for the technical system having an error, using the finite state description; d) forming a difference set from the first set and the second set; and e) determining result conditions from the difference set, the result conditions meeting prescribable conditions.
 2. The method according to claim 1, wherein method steps a) through e) are implemented for all possible errors of sensors and/or actuators in the technical system.
 3. The method according to claim 1, wherein failure probabilities are allocated to the sensors and/or actuators; and wherein the error analysis ensues taking the failure probabilities into consideration.
 4. The method according to claim 1, wherein method steps b) and c) ensue according to a method of model checking.
 5. The method according to claim 1, wherein a finite state description of a process implemented by the technical system is included in the method.
 6. The method according to claim 1, wherein the finite state description of the process is realized by a finite automat.
 7. The method according to claim 6, wherein the finite state description is realized by a finite automat formed as a binary decision diagram.
 8. A method for rapid prototyping of a technical system, the system having at least one of sensors and actuators in a technical system, the prototyping being in a form of a finite state description that exhibits states of the technical system, the method using a computer, comprising: determining a finite state description of the technical system for an error case of an error of at least one of a sensor and an actuator in the technical system, using the finite state description; determining a first set of achievable states for the technical system without errors using the finite state description; determining a second set of achievable states for the technical system having an error, using the finite state description; forming a difference set from the first set and the second set; and determining result conditions from the difference set, the result conditions effecting prototyping of the technical system.
 9. The method error diagnosis of a technical system, the system having at least one of sensors and actuators in a technical system, the error diagnosis being in a form of a finite state description that exhibits states of the technical system, the method using a computer, comprising: determining a finite state description of the technical system for an error case of an error of at least one of a sensor and an actuator in the technical system, using the finite state description; determining a first set of achievable states for the technical system without errors; determining a second set of achievable states for the technical system having an error, using the finite state description; forming a difference set from the first set and the second set; and determining result conditions from the difference set, the result conditions effecting error diagnosis of the technical system.
 10. A method for generating critical test cases for a commissioning and a system test of a technical system, the system having at least one of sensors and actuators in a technical system, the generating being in a form of a finite state description that exhibits states of the technical system, the method using a computer, comprising: determining a finite state description of the technical system for an error case of an error of at least one of a sensor and an actuator in the technical system; determining a first set of achievable states for the technical system without errors, using the finite state description; determining a second set of achievable states for the technical system having an error, using the finite state description; forming a difference set from the first set and the second set; and determining result conditions from the difference set, the result conditions effecting the generation of critical test cases.
 11. A method for preventive maintenance of a technical system, the system having at least one of sensors and actuators in a technical system, the method being in a form of a finite state description that exhibits states of the technical system, the method using a computer, comprising: determining a finite state description of the technical system for an error case of an error of at least one of a sensor and an actuator in the technical system; determining a first set of achievable states for the technical system without errors, using the finite state description; determining a second set of achievable states for the technical system having an error, using the finite state description; forming a difference set from the first set and the second set; and determining result conditions from the difference set, the result conditions meeting effecting the preventive maintenance. 